MyBank: Update on e-authorisation Solutions

The payments industry is undergoing a period of accelerating change and innovation. Some of these changes are being mandated by regulators. Others are coming from new technological developments such as the rise of apps, mobile devices, 24/7/365 services and social media, which are having an irreversible impact on customer demands and expectations. In May 2011, in Barcelona,
merchants voiced the need for a pan-European online banking electronic payment (OBeP) solution.

In June 2011,
CLEARING, driven by an analysis from the market and a call from regulators such as the European Central Bank (ECB), saw a need for a new range of ‘e-services’ that would build on Single Euro Payments Area (
) infrastructure and meet the needs of merchants, consumers and regulators. A blueprint (‘the Blueprint’ – see ‘related links’ below) for a pan-European e-service solution was published, which described the rationale for a solution allowing access to payment accounts. This Blueprint was at the basis of the creation of MyBank.

The Blueprint recognised the need for services supporting the mobile and online economy with a secure protocol, an internet-based system open to all regulated entities, and a harmonised set of request/response messages. We call these services Application Programing Interfaces (
) now. It was also a core principle that the services to be delivered would not only be related to payments but also encompass new offerings enabling financial and non-financial information exchange, including identity verification.

Now, in 2015, the urgency has become highly evident, as the market struggles to understand the implications of access to account,
, the digital bank, the mobile revolution, the vast sums being poured into FinTech, the alarm at growing rates of card-not-present fraud and public concern over privacy and data protection.

Today, there is a wider range of players with different profiles operating in the payments market and a variety of choices are offered to all customers. In this new digital market, financial institutions are looking for simple and practical solutions that meet the changed and changing needs and expectations of their customers.

Many recent articles have been looking at the impact of this changing market and increased competition on banks as traditional providers of payment services. Quite a few have concluded that the outlook for banks is positive as long as they make use of the opportunities these changes present (see ‘related links’ below). Some journalists or commentators are even describing very clearly what sort of solutions are needed (see ‘related links’ below).

MyBank is one practical example of such an interface and is gaining traction in the market. At the end of 2015, over 50 million customers in six different countries will have access to MyBank.

Digital single market and the continued threat of fragmentation

As part of the digital single market, a number of initiatives directly affecting the payments industry have been launched, which are shaking up the way we think about payments. The European Banking Authority’s (
) “Guidelines for the security of internet payments” (see ‘related links’ below) mandate ‘strong authentication’ for most payments, wallet, card transactions and mandate transactions, and the national implementations of these rules come into place in August 2015.

The ECB and the Euro Retail Payments Board (
) have called for the industry to provide “instant payments” (see ‘related links’ below). Instant payments require instant information services between the payer and the payee and any payment service providers (
) or other regulated third parties involved in the transaction. MyBank and other e-authorisation services can provide the initiation of instant payment transactions and the receipt of real-time confirmation messages by the parties involved. A real-time authorisation, with a real-time payment behind it, would be a powerful instrument.

The European Commission’s latest draft of the revised Payment Services Directive (
) defines requirements for account-servicing
to allow retail customers to initiate payments through payment-initiating
(often known as Third Party Providers (
)). There is growing excitement about access to accounts as an
, where banking
are also becoming a topic of interest to regulators. The account access mechanism will have to be compliant with regulatory technical standards and MyBank is well placed to serve as such a mechanism providing standardised access to account services in line with the future
.

These initiatives point towards the need for a harmonised environment based on secure authentication that will fulfil the advancing requirements of payers and payees with regard to e- and m-payments.

While the regulatory push is clear, there is a risk that Europe could develop fragmented solutions that are innovative in a specific sector or country but cannot be used universally. Furthermore, the industry may take a ‘minimum compliance’ approach to the new regulations, and so miss out on the other value creation opportunities that exist if they go beyond the scope of the
and offer additional services.

Business-to-business and consumer-to-business use of
e-authorisation

By the end of June 2015, over 200 million euros worth of purchases had been made with MyBank, a figure that is growing by 25 percent per month, with most of the traffic concentrated in Italy. The MyBank experience shows that when you give people access to tools to unlock the digital environment, they will use them in ways that you did not expect. As an example, the average transaction value of MyBank is far higher than the average e-commerce transaction value, which stands at €110. In fact, for consumer-to-business (C2B) payments (54% of the volume) the average value is €450. For business-to-business (B2B) payments (46% of the volume) the average value is €4,500. These value ranges put normal MyBank usage outside the range of most other payment tools (e.g. cards) that banks offer to their retail and corporate customers for online purchases.

The use cases have been far more varied than anticipated. In addition to commercial purchases, consumers are willing to use e-authorisation services to settle electricity bills, subscribe to insurance contracts and pay for government services.

MyBank and other online account-based payment methods clearly allow the financial industry to deliver value to merchants and consumers. The key benefits for merchants of such e-authorisation services, as described by the merchants themselves, are shown below.

MyBank Mandates: meeting mandate requirements now and for the future

The European Payments Council’s
Direct Debit Core Scheme (
) requires the signing of direct debit mandates, which are expressions of consent by the payer to be debited (see ‘related links’ below). The Fraunhofer white paper on e-mandates (see ‘related links’ below) lays out three conceptual models for mandate creation, which range from the payer ticking a box on the creditor’s website (2 corner), to using a trusted third party on the creditor side for facilitating the consent process (3 corner), to using trusted third parties, e.g.
, supporting the creditor and the debtor in the mandate creation process (4 corner).

In accordance with the
Core Scheme Rulebook Annex VII on E-Mandates, the four-corner model is seen by Fraunhofer as being the most secure and has the advantage that it allows not only to check the consent of the account holder but also to verify that the International Bank Account Number (IBAN) given in the mandate is the correct one.

In general within the market we have to recognise that there is not yet any wide-spread awareness that e-mandates which are authorised by the debtor via his/her e- or m-banking channel allow merchants to easily take advantage of:

Normal recurring ‘utility bill’ type payments.

Purchases with payment by instalments.

One-off payments, both where the amount is or is not known at the point of ordering (e.g. car hire).

B2B Direct Debits.

Basic identity verification features that can be used as part of customer due diligence, where the merchant needs to collect (and the consumer agrees to give) verifiable details about the customer, such as his or her age.

Again, this is not just theory. MyBank Mandates will have live banks in multiple countries before the end of 2015, with strong demand from large merchants for this service.

Identity verification services

As people conduct more of their day-to-day activities via online mechanisms, the concerns related to privacy, trust and identification of parties are growing exponentially. A 2014 Ecommerce Europe paper on the need for online trust services calls on European policy makers and stakeholders for a “move forward with e-identification and authentication” and a commitment to “come up with solutions that reuse existing authentication solutions” (see ‘related links’ below). Multiple government initiatives exist at both the domestic and pan-European level, e.g. STORK (see ‘related links’ below).

There have been a good number of articles in this newsletter and other publications that clearly explain why identity verification is important, which key role account-servicing
can play in this area and that there is a new revenue stream to be made from such services (for examples, see ‘related articles in previous issues’ below).

These papers draw the link between four unique assets held by account-servicing
today: strong authentication mechanisms, Know Your Customer (KYC) data, the ability to create networks and reach all citizens, and above all, the trust of those citizens that their
will protect their data. In some European countries, commercial banks have been offering e-identity verification services for years and there are often new services entering this nascent market.

Over the past twelve months, MyBank has consulted with merchants, banks, specialist identity service providers to define the contents of the MyBank Identity Verification Pilot. In May 2015, the MyBank Identity vision document (see ‘related links’ below) was released along with a call for pilot banks and pilot merchants.

MyBank Identity Verification is an ISO 20022-compliant identity verification service, which uses the same technical system and protocols as the MyBank payment and mandate offerings. It allows businesses and public authorities to verify a physical or legal person’s identity by getting a confirmation from the
on the instruction of the account holder.

Identity Functions will include:

Authentication (logon to other services).

Verification that a person exists and has a payment account.

Verification / provision of name, address, IBAN, age.

Contract agreement, provision of consent.

Customer due diligence.

In later phases, these will include:

Electronic signatures.

With the combination of secure authentication and the data that the account-servicing
holds, merchants are able to understand very quickly the cost savings and benefits of being able to onboard a customer, without needing to capture and store paper. On the other hand, consumers feel comfortable using an effective solution that puts them in control of their data and makes their life simpler and easier.

Conclusion

Society is going online and mobile, and the trust amongst the different market actors is key for achieving an efficient digital single market. This requires creating or reengineering processes to better serve all parties in the end-to-end transaction chain by optimally supporting them in their interactions.

The payments industry is undergoing considerable change, but many of the challenges present opportunities to engage more with customers, to provide new services and to find new modes consistent with the economy’s digital evolution through sustainable business models. The changing requirements confirm the need for security, identity protection and control of financial flows, which means that banks and payment institutions can generate a significant value to consumers, businesses and public administrations by developing and adopting services responding to these needs. MyBank is a concrete example of a solution allowing
to move forward on this path.

John Broxis is Managing Director of PRETA, a wholly owned subsidiary of
CLEARING.

Giorgio Ferrero is the Chairman of PRETA, a wholly owned subsidiary of
CLEARING.

MyBank is owned and managed by PRETA S.A.S. today controlled by
CLEARING.

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.

In this article

At a time of significant change in the payments market, many market commentators are suggesting that there is an unprecedented opportunity for new and existing players in the financial services industry to provide new and valuable services to society. In this article, Giorgio Ferrero, Chairman of PRETA, and John Broxis, Managing Director of PRETA, describe the development and uptake of e-authorisation solutions, in the context of today’s regulatory and market evolutions, such as the revised Payment Services Directive (
), Access to Account (XS2A) and application programming interfaces (
).

This article focuses on the practical usage and growing popularity of account-based payments for online transactions, and highlights some of the unexpected upsides, such as business-to-business (B2B) usage, that can emerge as a result of the introduction of new e-authorisation tools in this context. It also covers the additional value that account-servicing institutions can leverage for their customers by offering electronic mandate creation and identity verification services, focusing on simple and practical implementation possibilities that are being developed today.

The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.

Key Information in this Article

An implementation-orientated way forward is needed for the benefit of the market stakeholders if they are to meet the expectations set for the digital single market.

There is a clear and burning need for account-based identity verification services, leveraging strong authentication and the network of the financial services industry, and there are simple ways to deliver these services based on an Application Programing Interface (
) model.

In 2011,
CLEARING created MyBank, an e-authorisation solution that enables safe digital payments and identity verification, and contract agreements through a consumer or business’s own online banking portal or mobile application, to answer the need for a new range of transaction-related services offered by payment service providers (
) and other players, where a rapid growth is already registered.

MyBank is being used to make consumer-to-business (C2B) payments to e-commerce companies, utilities, insurance companies and public authorities. The solution is also being used for larger value business-to-business (B2B) transactions.